Bump actions/github-script from 7 to 8

[dependabot]

Bumps actions/github-script from 7 to 8.

Release notes

Sourced from actions/github-script's releases.

v8.0.0

What's Changed

• Update Node.js version support to 24.x by @​salmanmkc in actions/github-script#637
• README for updating actions/github-script from v7 to v8 by @​sneha-krip in actions/github-script#653

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

New Contributors

• @​salmanmkc made their first contribution in actions/github-script#637
• @​sneha-krip made their first contribution in actions/github-script#653

Full Changelog: actions/github-script@v7.1.0...v8.0.0

v7.1.0

What's Changed

• Upgrade husky to v9 by @​benelan in actions/github-script#482
• Add workflow file for publishing releases to immutable action package by @​Jcambass in actions/github-script#485
• Upgrade IA Publish by @​Jcambass in actions/github-script#486
• Fix workflow status badges by @​joshmgross in actions/github-script#497
• Update usage of actions/upload-artifact by @​joshmgross in actions/github-script#512
• Clear up package name confusion by @​joshmgross in actions/github-script#514
• Update dependencies with npm audit fix by @​joshmgross in actions/github-script#515
• Specify that the used script is JavaScript by @​timotk in actions/github-script#478
• chore: Add Dependabot for NPM and Actions by @​nschonni in actions/github-script#472
• Define permissions in workflows and update actions by @​joshmgross in actions/github-script#531
• chore: Add Dependabot for .github/actions/install-dependencies by @​nschonni in actions/github-script#532
• chore: Remove .vscode settings by @​nschonni in actions/github-script#533
• ci: Use github/setup-licensed by @​nschonni in actions/github-script#473
• make octokit instance available as octokit on top of github, to make it easier to seamlessly copy examples from GitHub rest api or octokit documentations by @​iamstarkov in actions/github-script#508
• Remove octokit README updates for v7 by @​joshmgross in actions/github-script#557
• docs: add "exec" usage examples by @​neilime in actions/github-script#546
• Bump ruby/setup-ruby from 1.213.0 to 1.222.0 by @​dependabot[bot] in actions/github-script#563
• Bump ruby/setup-ruby from 1.222.0 to 1.229.0 by @​dependabot[bot] in actions/github-script#575
• Clearly document passing inputs to the script by @​joshmgross in actions/github-script#603
• Update README.md by @​nebuk89 in actions/github-script#610

New Contributors

• @​benelan made their first contribution in actions/github-script#482
• @​Jcambass made their first contribution in actions/github-script#485
• @​timotk made their first contribution in actions/github-script#478
• @​iamstarkov made their first contribution in actions/github-script#508
• @​neilime made their first contribution in actions/github-script#546
• @​nebuk89 made their first contribution in actions/github-script#610

Full Changelog: actions/github-script@v7...v7.1.0

... (truncated)

Commits

• ed59741 Merge pull request #653 from actions/sneha-krip/readme-for-v8
• 2dc352e Bold minimum Actions Runner version in README
• 01e118c Update README for Node 24 runtime requirements
• 8b222ac Apply suggestion from @​salmanmkc
• adc0eea README for updating actions/github-script from v7 to v8
• 20fe497 Merge pull request #637 from actions/node24
• e7b7f22 update licenses
• 2c81ba0 Update Node.js version support to 24.x
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[kusari-inspector]

Kusari Analysis Results:

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

The dependency analysis found no issues with pinned version changes. However, the code analysis identified 2 high-severity supply chain security risks in .github/workflows/landscape-sync.yaml. Both instances use actions/github-script@v8 (lines 74 and 138) with a mutable version tag rather than a pinned commit SHA. This is a recognized supply chain attack vector: a mutable tag can be silently redirected to a malicious commit without any visible change to the workflow file, meaning the repository would execute compromised code without warning. The risk is amplified in a CNCF automation repository context, where the workflow carries elevated permissions to create and manage GitHub issues. Action required: Replace both instances of actions/github-script@v8 with the full commit SHA corresponding to the intended release (e.g., actions/github-script@60a0d83 for v7, or the correct SHA for v8). This ensures the workflow is immutably pinned and cannot be tampered with via tag reassignment.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Code Mitigations

Unpinned action reference detected. The action 'actions/github-script@v8' must be pinned to a full commit SHA instead of a mutable version tag. Using a mutable tag allows the action to be silently updated or replaced, creating a supply chain attack vector.

• Location: .github/workflows/landscape-sync.yaml:74

Unpinned action reference detected. The action 'actions/github-script@v8' must be pinned to a full commit SHA instead of a mutable version tag. Using a mutable tag allows the action to be silently updated or replaced, creating a supply chain attack vector.

• Location: .github/workflows/landscape-sync.yaml:138

---

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: dda9037, performed at: 2026-03-12T01:22:35Z

Found this helpful? Give it a 👍 or 👎 reaction!

[kusari-inspector]

Unpinned action reference detected. The action 'actions/github-script@v8' must be pinned to a full commit SHA instead of a mutable version tag. Using a mutable tag allows the action to be silently updated or replaced, creating a supply chain attack vector.

[kusari-inspector]

Unpinned action reference detected. The action 'actions/github-script@v8' must be pinned to a full commit SHA instead of a mutable version tag. Using a mutable tag allows the action to be silently updated or replaced, creating a supply chain attack vector.